According to the banking industry body UK Finance, UK consumers were scammed out of a record £479 million last year, with a five per cent annual rise in money lost by customers unwittingly sanctioning payments to criminals.
This included a 94 per cent increase in “impersonation scams” where criminals posing as trusted organisations, including the NHS and Royal Mail, conned customers out of nearly £97 million.
However, police figures show that out of more than 350,000 frauds reported to the Action Fraud national helpline last year – with an estimated cost of £2.1 billion – only 5,101 offences resulted in a prosecution, down by nearly 34 per cent on the number taken to court in the previous year.
“We need to arrest more people. We need to prosecute more gangs. Criminals need to be thinking twice before sending these messages because they know they might be caught,” Mr Biggar said. “We need to recognise the effect this activity is beginning to have on the country. It is reducing confidence in our digital economy.
“The fact is that we don’t have enough people in law enforcement looking at fraud. It’s over 30 per cent of crime reported – but less than one per cent of policing and law enforcement are dedicated to it. Those numbers need to change.”
The NCA and its partners, including the National Cyber Security (NCSC) have had their successes, with more than 36,000 distinct scams removed from 71,000 web pages. Hundreds of UK phone numbers involved in scams have been shut down in the last six months, a source said.
“We also need to be better with the tech industry and phone companies in trying to block this activity,” Mr Biggar said. “Of course it would be brilliant if we could find better ways of just stopping it at source.
“I think while we work on ways of disrupting, it’s really important that the public can spot the calls and texts that are coming in. For a time, that is certainly going to increasingly be a part of modern life. Given this is the way the country and the world is moving, it’s really important that we get more on top of this – now.”
Revealed: Scammers buying fake web addresses from US tech firm
When the text message flashes up, the wording is nearly always the same. “Royal Mail: Your package has a £2.99 shipping fee,” the message says, with a website link to “pay this now”. “Your package will be returned if fee is unpaid.”
It is an attempted con thought to have been sent to millions of phones across the UK in recent weeks. The Royal Mail scam is the only the latest – scammers have posed as other trusted organisations during the pandemic including the NHS, Halifax bank and HMRC. Many victims unfortunate enough to have clicked on the fake links have ended up handing over their life savings.
But the cyber criminals responsible are not luring victims to a remote corner of the dark web, as might be expected. Instead, a Telegraph investigation has found Royal Mail scammers buying their fake web addresses from a leading US tech firm before paying the same company – Namecheap.com – to host their fake websites.
Namecheap charges around £25 per year to host each website, with a domain name costing around £7 depending on its extension, like .com or .co.uk. The firm says it takes down any websites confirmed to be a scam and cancels or refunds any payments.
A snapshot analysis carried out last week found Namecheap appeared to be hosting more than 200 sites being used by fraudsters to impersonate the Royal Mail and steal bank details. The criminals have bought domain names such as “royalmailbill” or “royalmail-redirect.me” which appear to be legitimate, mocked up with Royal Mail branding and an invitation to “proceed to redelivery payment”.
Once someone enters their details on the Namecheap site, the information is sent directly to the gang. Later, perhaps the next day, the victim will receive a phone call – apparently from their bank – telling them there has been unauthorised access and asking them to move their money to a new account. The cash is never seen again.
‘We need all providers hosting these sites to do more’
Namecheap, based in Phoenix, Arizona, is one of the biggest domain name providers in the world. Mr Biggar confirmed that UK investigators have been in regular contact with the company to try and remove scam pages, but with varying success.
“It’s definitely true that Namecheap can do more. We need all providers hosting these sites to do more,” he told The Telegraph. “We ask them to take them down the pages really quickly, but their responses can be sporadic. Sometimes quick, sometimes slower.”
Mr Biggar’s greatest frustration, however, is that Namecheap either cannot or will not supply information that might lead UK authorities to their quarry.
“These firms just don’t appear to know who their customers are,” he said. “The banks have got better over the years at knowing who their customers are by doing the right kinds of checks. We would like organisations like Namecheap to do more of that of themselves. Or indeed Google. If they did the proper due diligence, they could provide more useful information to us.”
Namecheap has already attracted attention in the US for the number of fraudsters apparently using its services to lure victims.
Last March, Facebook filed an ongoing lawsuit against Namecheap claiming that the firm refused to co-operate with an investigation into dozens of malicious sites, while that same month Letitia James, the New York attorney general, wrote an open letter to six domain name firms including Namecheap urging them to step up efforts to keep scammers off their platforms.
But Namecheap’s founder and chief executive, Richard Kirkendall, wrote online earlier this month that he is hesitant to use automated tools to find imposter websites because “false positives hurt too many innocent customers”.
“We’ve lost $8 million over the last five years battling this problem,” Mr Kirkendall claimed on Twitter. “We aren’t the Gestapo. We aren’t going to spy and infringe on all of our customers’ privacy ahead of time. Add to that, tens of thousands of domains are registered with us daily. Less than one per cent ever turn out to be abusive.”